Global insurer AIG has seen a tremendous spike – 87% - in cyber insurance queries in Greater China, including China, Hong Kong, Taiwan and Macau in the aftermath of the WannaCry and NotPetya ransomware attacks that struck in recent months.

However, corporate executives in the region still show a degree of complacency that they face similar exposure from these incidents as their US and European counterparts.

“Despite increased awareness brought about by the recent global cyberattacks such as WannaCry and NotPetya, many companies in Asia still do not understand their cyber exposure because so much of what happens occurs out of the public eye,” said Jason Kelly, head of Liabilities and Financial Lines for Greater China, Australasia and South Korea, AIG.

He noted: “If you are a small and mid-sized company and you are working with large companies, you are now a target for hackers who want to infiltrate your systems to get into the larger multinational. You really have to understand the dynamics. This is really important. That is why we often say this is a board level issue and it is a risk management process.”

AIG is one of the first insurers in the world to offer cyber insurance, launching its first product in the US in 1999. Last year, it has insured 22,000 commercial clients against cyber-related risks and 22 million individuals against identity theft globally. AIG has seen this part of its business grow on an average of 20% to 25% annually over the last three years.

Meanwhile, in Hong Kong, AIG has seen a 60% increase in claims and notifications for cyber-related events in the last 12 months.

Cynthia Sze, head of Financial Lines – Hong Kong at AIG said SMEs, which comprised more than 90% of local enterprises, needs to learn that the impact of a cyber incident can go beyond Hong Kong.

“One cyberattack can cause multiple jurisdiction issues to a company. Some organizations believe if they operate in Hong Kong, their exposure should only be limited to Hong Kong. Is this true? That is a question organizations need to think about,” she said.

She added: “For example, a hotel that operates in Hong Kong will have customer information – credit card, personal information – from other countries. According to EU’s data protection laws which will be enacted next year, they mentioned no matter where you operate, as long as you process EU citizen data, you need to report within 72 hours. And if you don’t do so, there are fines and penalties to follow.”